[libvirt-users] TLS and intermediate CA

Daniel P. Berrange berrange at redhat.com
Tue Apr 22 14:35:58 UTC 2014

On Tue, Apr 22, 2014 at 08:24:43AM -0600, Nathaniel Cook wrote:
> Thanks for the response.
> My current chain is as follows:
> caroot -> child-ca1 -> server cert
> My cacert.pem file has both the caroot and the child-ca1 certs. I have
> recompiled libvirt on my machine with some extra debug statements and
> verified that both the caroot cert and the child-ca1 certs are being
> loaded. But when I try to connect the caroot and child-ca1 certs only
> appear under the "Acceptable client certificate CA names" not the
> certificate chain. The error I get on the client when connecting is that
> the server identity could not be verified since the server isn't presenting
> the entire CA chain just its own cert.

Are you willing / able to share the output of

 certtool -i --infile <filename>.pem

for the cacert.pem and servercert.pem on the server, and the likewise for
the cacert.pem and clientcert.pem (if used) on the client the fails to

|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvirt-users mailing list